Terms and Conditions

Terms and Conditions

Updated 3rd of March 2022

Thank you for choosing to use our products and services (Services).

This agreement (Agreement) is between SecureStack Pty Ltd (“SecureStack”, “us,” “we,” “our” or the “Company”) and the person or entity agreeing to these terms (“you” or the “Customer”). If you are agreeing to this Agreement not as an individual but on behalf of your company, then “you” means your company, and you are binding your company to this Agreement.

This Agreement and its terms shall apply unless otherwise expressly replaced by a separate agreement between you and SecureStack.

The “Effective Date” of this Agreement is the date which is the earlier of (a) your initial access to or use of the Services (as defined below) or (b) the effective date of the first Order referencing this Agreement.

By clicking on the “I agree” (or similar button or checkbox) that is presented to you at the time of your Order or upon accessing the Services, or by using or accessing the Services, you indicate your assent to be bound by this Agreement. Alternatively, acceptance of any Xero quote provided by SecureStack will indicate your assent to be bound by this Agreement and the terms of any Order specified in the Xero quote. If you do not agree to this Agreement, do not use or access the Services.

If you do not agree with these Terms, do not continue to use or access the Services.

Scope

These terms govern your use of the Services. These Terms include the Privacy Policy, Site Terms and Conditions, any Orders and any other references to SecureStack policies and attachments posted at www.securestack.com (Site) from time to time as though those policies were included in these Terms. If any of the provisions of any applicable SecureStack policy conflict with these Terms, these Terms have priority, solely to the extent such Terms apply to the Service.

Your Account, Authorized Users and Secondary Users

You are required to register for an Account to access the Services (Account Registration). Any registration information that you provide to us must be accurate, current and complete. You must also update your information so that we may send notices, statements and other information to you by email or through your account.

You are responsible for maintaining the confidentiality of your account login credentials including your username and password. You are also responsible for all actions taken through your accounts.

Access to the Services may be subject to approval of your Account Registration by SecureStack. Approval of an Account Registration is at the sole discretion of SecureStack, and SecureStack reserves the right to deny any Account Registration. If your Account Registration is denied, any Fees have been paid will be refunded to you.

Only Authorized Users may access and use the Services. Some Services may allow you to designate different types of Authorized Users, in which case pricing and functionality may vary according to the type of Authorized User. You are responsible for compliance with this Agreement by all Authorized Users, including what Authorized Users do with your data, and for all fees incurred by Authorized Users (or from adding Authorized Users). All use of Services must be solely for the benefit of you or your Affiliates and must be within the Scope of Use.

Certain Services may be used as part of your own product or services. Subject to the terms and conditions of this Agreement, you may grant your own customers’ end users (“Secondary Users”) limited rights to use the Services solely so that they may view and interact with such resources. You may not permit Secondary Users to use the Services for purposes unrelated to supporting your own offerings or grant Secondary Users administrator, configuration or similar use of the Services.

You may not charge Secondary Users a specific fee for use of the Services, but you may charge an overall fee for your own offerings.

You are responsible for all Secondary Users as “Authorized Users” and are otherwise solely responsible for your own products, support offerings and Secondary relationships. Notwithstanding anything to the contrary in this Agreement, the Company has no direct or indirect warranty, indemnity or other liability or obligations of any kind to Secondary Users.

Term of Agreement

Except as otherwise specified in your Order, any subscriptions will automatically renew for periods equal to your initial Term (and you will be charged at the then-current rates) unless you cancel your subscription in writing or through your account at the Site.

If you cancel, your subscription will terminate at the end of then-current billing cycle, but you will not be entitled to any credits or refunds for amounts accrued or paid prior to such termination.

If SecureStack does not want the Services to renew, then it will provide you written notice to this effect. This notice of non-renewal will be effective upon the conclusion of the then current Term.

Payment of Fees

You agree to pay all Fees in accordance with your Order. Unless otherwise specified in your Order, you will pay all amounts at the time you place your Order. All amounts are non-refundable, non-cancellable and non-creditable unless otherwise specified in this Agreement. In making payments, you acknowledge that you are not relying on future availability of the Service beyond the current agreed Term or any Service upgrades or feature enhancements.

You are responsible for any duties, customs fees, or taxes (other than our income tax) associated with the sale of the Services, including any related penalties or interest (Taxes), and you will pay us for the Services without any reduction for Taxes.

If we are obligated to collect or pay Taxes, the Taxes will be invoiced to you, unless you provide us with a valid tax exemption certificate authorized by the appropriate taxing authority. If you are required by law to withhold any Taxes from payments to us, you must provide us with an official tax.

As part of our commitment to customer satisfaction, you may terminate your initial Order of the applicable Software under this Agreement, for no reason or any reason, by providing notice of termination and returning any applicable Software to SecureStack no later than thirty (30) days after the Order date for such Software. This termination and refund right applies only to your initial Order and only if you exercise your termination right within the period specified above and does not apply to any Additional Services as specified in your Order. You understand that SecureStack may change this practice in the future in accordance with the Terms of this Agreement.

Your License

Subject to these Terms, SecureStack grants you a non-exclusive, non-transferable revocable license to use the Service on a compatible computer, mobile telephone or handheld device (Device) owned or controlled by you for the Designated Period specified in your Order.

Unless permitted by law or as otherwise expressly permitted in these Terms, you must not (nor may you authorise any third person to):

(i) rent, lease, distribute, license, sub license, sell, transfer, assign, distribute or otherwise provide access to the Service to a third party;

(ii) reproduce, modify, adapt, create derivative works of, the Service;

(iii) reverse engineer, disassemble, de compile, transfer, exchange or translate the Service or otherwise seek to obtain or derive the source code or API;

(iv) remove or tamper with any disclaimers or other legal notices;

(v) combine the whole or any part of the Service with any other software, data or material;

(v) store or use any part of the data you do not own in an archival database or other searchable database. You must promptly notify us in writing of any breach of these conditions of use.

Intellectual Property Rights

You agree that all intellectual property of any sort in or associated with the Service, including all code, libraries, programs, software, information, data, documentation, content, databases, systems, logos and trademarks are owned either directly by us or by our licensors. You are not authorised to use any of our intellectual property except as is expressly allowed under these Terms.

You grant SecureStack a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, license to use the copyright and other intellectual property rights you have in all information, answers, content, data, and inputs posted, uploaded, and entered into the site during use of the Service (Content) for the limited purpose of operating, developing, providing, and improving the Service and researching and developing new ones. Our license to your Content is subject to your rights under applicable law (such as laws regarding personal data protection to the extent any Content contains personal information as defined by those laws).

Your Obligations

You agree to use the Services in an acceptable manner (Acceptable Use), which includes agreeing not to, and nor allowing others, to use the Services to:

(i) to violate, or encourage the violation of, the legal rights of others (for example, this may include allowing Users to infringe or misappropriate the intellectual property rights of others in violation of the Digital Millennium Copyright Act);

(ii) to engage in, promote or encourage illegal activity;

(iii) for any unlawful, invasive, infringing, defamatory or fraudulent purpose (for example, this may include phishing, creating a pyramid scheme or mirroring a website);

(iv) to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature;

(v) to interfere with the use of the Services, or the equipment used to provide the Services, by customers, authorized resellers, or other authorized users;

(vi) to disable, interfere with or circumvent any aspect of the Services;

(vii) to generate, distribute, publish or facilitate unsolicited mass email, promotions, advertisings or other solicitations (“spam”); or

(viii) to use the Services, or any interfaces provided with the Services, to access any other SecureStack product or service in a manner that violates the terms of service of such other SecureStack product or service.

Security

By using the Service, you acknowledge that it is your sole responsibility to ensure the confidentiality and security of any information transmitted from or stored on a Device for the purposes of the Service, for all transactions and other activities in the End User’s name, whether authorized or unauthorized. You understand that use of the Service involves transmission of your data over networks that are not owned, operated or controlled by us, and we are not responsible for any of your data lost, altered, intercepted or stored across such networks. We cannot guarantee that our security procedures will be error-free, that transmissions of your data will always be secure or that unauthorized third parties will never be able to defeat our security measures or those of our third-party service providers.

Privacy Policy

Any information you supply to us when using the Service will be collected and used by us in accordance with our Privacy Policy which you can find at https://securestack.com/privacy-policy/

Disclaimer

Except as expressly stated in this Agreement, we do not make any representation or warranty (express or implied) in respect of the Services, any Materials or any other goods or services provided by SecureStack to you, including, without limitation, any implied warranty:

(i) of merchantability;

(ii) of fitness for a particular purpose;

(iii) arising from a course of performance, course of dealing, or usage of trade;

(iv) of non-infringement of third party rights; or

(v) against hidden defects.

The Service and Materials are provided on an “as is”, “with all faults” and “as available” basis and without any further warranties of any kind. We make no warranty that operation of the Service or any Materials will be uninterrupted or error free or that all defects will be corrected.

Without limiting the above, you acknowledge that:

(i) you are using the Service at your own risk;

(ii) the Service is not a substitute for professional advice;

(iii) you are solely responsible for the use of the Service and agree that it is your responsibility to review and assess the information, results, findings, and recommended actions provided by the Service; and

(iv) you have not relied on any representation in ordering the Service or any goods and services from us.

To the maximum extent permitted by law, we exclude completely all liability whatsoever for any claims, liability, loss or damage of any kind however caused (including negligence) arising out of or in connection with any goods or services provided by us including the Service and its access, use or performance, including, without limitation, we are not liable for:

(i) misuse of the Service or any Materials;

(ii) use of the Service or any Materials with third party data, software or hardware which is incompatible with the Service and/or not recommended by us;

(iii) reduced performance or non-availability of the Service or any Materials as a result of network connections; or

(iv) errors in the Service or any Materials resulting from your configuration or manipulation of the Service or any Materials, in each case not specifically recommended in writing by us.

Under no circumstances (including but not limited to any act or omission on our part) will we be liable for any loss or damages (including, without limitation, indirect, incidental, special or consequential or punitive damages and damages for loss of profits) whatsoever which result from any use, or any inability to use, the Service or any Materials.

To the maximum extent permitted by law, our liability for breach of any implied warranty or condition which cannot be excluded is limited at our option to supply of the good or service ordered by you again or paying for their resupply.

Notwithstanding the above, to the maximum extent permitted by law, in no event shall our aggregate liability for any claims arising out of or related to these Terms exceed the greater of one hundred Australian dollars ($100) or the amount that you paid, if any, to us for access to or use of the Service during the six months’ period immediately prior to the event giving rise to such liability.

You agree to indemnify SecureStack and its related parties, officers, agents and employees (Indemnified Parties) in respect of any claim, action, damage, loss, liability, cost, charge, expense, outgoing or payment (including legal expenses (on a full indemnity basis) arising from or relating to:

(i) your use of the Service or any Materials;

(ii) a breach of these Terms by you; and

(iii) your breach of any applicable law.

Termination

This Agreement is in effect for the Designed Period, unless sooner terminated as permitted in these Terms. Either party may terminate this Agreement before the expiration of the Designated Period if the other party materially breaches any of these Terms and does not cure the breach within thirty (30) days after written notice of the breach, or if the other party ceases to operate, declares bankruptcy, or becomes insolvent or otherwise unable to meet its financial obligations.

We may terminate this Agreement before the expiration of the Designated Period if you are in material breach of these Terms.

You may terminate this Agreement at any time with notice to SecureStack, but you will not be entitled to any credits or refunds as a result of convenience termination.

Except where an exclusive remedy may be specified in these Terms, the exercise by either party of any remedy, including termination, will be without prejudice to any other remedies it may have under these Terms, by law, or otherwise.

Except as set forth in this Section, once the Agreement terminates, then:

(i) the rights and licenses granted by SecureStack to you will cease immediately (except as set forth in this Section);

(ii) you must cease all use of the Service and any third party Materials;

(iii) you must pay to us any and all outstanding Fees for the Designated Period;

(iv) you undertake not to attempt to access the Service or any data stored in the Service, any third party Materials or the Site after the date of termination.

If we become aware of a breach by you of these Terms, then we may specifically request that you suspend the applicable Account. If you fail to comply with our request to suspend an account, then we may do so. The duration of any suspension by us will be until the applicable End User has cured the breach which caused the suspension.

Survival

The following provisions will survive any termination or expiration of this Agreement: Intellectual Property Rights; Payment of Fees; Privacy Policy; Disclaimer; Disclaimer; Termination and suspension; General; and any other Sections which by intent or meaning have validity beyond termination or expiration of this Agreement.

Amendments

We may update or modify these Terms from time to time, including any referenced policies and other documents. If a revision meaningfully reduces your rights, we will use reasonable efforts to notify you (by, for example, sending an email to the billing or technical contact you designate in the applicable Order, posting on our Site, through your account, or in the Service itself). If we modify these Terms during the Term, the modified version will be effective upon your next renewal of the Term, as applicable. In this case, if you object to the updated Terms, as your exclusive remedy, you may choose not to renew, including cancelling any Terms set to auto-renew.

For the avoidance of doubt, any Order is subject to the version of the Terms in effect at the time of the Order.

General

These Terms are governed by the laws of New South Wales, Australia and the parties agree to submit to the exclusive jurisdiction of the courts in New South Wales, Australia.

If any provision of these Terms is held to be invalid, illegal, or unenforceable that provision shall be deemed omitted to the extent that it is invalid, illegal, or unenforceable and the remainder of the Terms shall be construed in a manner as to give greatest effect to the original intention of these Terms.

The waiver of any right or failure of either of us to exercise in any respect any right provided in these Terms in any instance shall not be deemed to be a waiver of such right in the future or a waiver of any right under these Terms.

Neither party will be liable for inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and internet disturbance) that was beyond the party’s reasonable control (Force Majeure).

Your use of any website or software that is not provided by us to access or download the Service shall be governed by the terms and conditions applicable to that website or software. We are not responsible for any consequences resulting from the use of such website or software, including but not limited to any damage to your property, including your Device, or the transfer of any computer virus or similar malicious code, except to the extent such consequences are caused by the Service.

Any notices to you may either be posted on the Site or given in writing (which may be by email) to the address last notified by you to SecureStack. Any notices to SecureStack, and any questions, concerns or complaints relating to the Service shall be in writing and addressed to:

SecureStack Pty Ltd,

16 Nexus Way, Southport

QLD 4215

Or given by email to: hello@securestack.com

You agree to use your best endeavours to resolve any dispute arising out of or relating to these Terms, with us, prior to resorting to any external dispute resolution process. Please notify us in writing of any dispute you may have.

This Agreement, and any rights and licenses granted hereunder, must not be transferred or assigned by you without our prior express written consent. We may, without restriction, assign this Agreement and our rights and delegate our obligations hereunder to:

(i) any of our affiliates or subsidiaries; or

(ii) a third party participating in a merger, acquisition, sale of shares or assets, change of control, corporate reorganization or similar transaction in which SecureStack is participating.

In respect of the subject matter of the Terms, these Terms contain the entire understanding between the parties. Any previous oral and written communications, agreements, representations, warranties or commitments between the parties in respect of the subject matter are superseded by the Terms and do not affect the interpretation or meaning of the Terms and each of the parties has relied entirely on its own enquiries before entering into the Terms.

Risky Business

Risky Business

Risky Business Podcast

In this edition of Snake Oilers we’ll be hearing from Google Security — Anton Chuvakin is appearing on their behalf to talk more about how switching to its cloud-native SIEM actually makes sense now. Paul McCarty from SecureStack will be along to talk through their latest stuff, and it’s interesting actually because they’re doing software composition analysis that includes a lot more information than just what code is going into an application — what services is the application using? Which APIs? They’ve also built some really nice compliance tools where you can do a single scan and see how you measure up against various regimes…

You can find the original podcast at the Risky.biz site here:  https://risky.biz/snakeoilers15pt2/

risky-biz
compliance-frameworks-thin

If you like what you see, book a demo!

 

Paul McCarty

Founder of SecureStack

DevSecOps evangelist, entrepreneur, father of 3 and snowboarder

Forbes Top 20 Cyber Startups to Watch in 2021!

 

Australian ISM – Guidelines for Secure Development

Australian ISM – Guidelines for Secure Development

The Australian Cyber Security Centre (ACSC) is the arm of the government that provides guidance on how to improve cybersecurity in Australia.  As part of this mandate, they have been producing a document called the “Information Security Manual” (ISM) since 2017.

You can think of the ISM as a single document that helps Australian businesses and government know how to address cybersecurity challenges.  In reality, the ISM is really a collection of different guideline documents that focus on specific areas of IT.  Some of the existing guidelines address things like system hardening, database management, network management, using cryptography, and many others.  These guideline documents as an aggregate can be thought of as “the ISM” and can be used to increase an organization’s cybersecurity maturity which benefits both the organization itself, but also Australian society.

What’s in the Guidelines for Secure Development section of the Australian ISM?

In December of 2021, the ACSC released the latest version of the ISM which for the first time included a Guideline for Secure Development.  This document lays out a framework for building and maintaining secure software development processes.  It is a total of 21 controls and is more prescriptive than what we typically see from other frameworks like APRA.

You can find the Guidelines for Secure Development here: https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-software-development

The format for this blog post

I wanted to write this blog post to help Australian orgs know about this new compliance requirement from the ACSC.  The new Guidelines for Secure Development document is split into two sections which we’ll address separately below.
Those two sections are:  Application development and web development.  

We’ll break both of those two sections down into their individual sub-sections and the controls that exist at each one of those stages. At the end, I talk about how you can assess and implement the controls in the ISM.

From this point on I’ll refer to the Guidelines for Secure Development as “GSD” for brevity’s sake.

Okay, let’s dig in!

Section 1: Application Development

This section of the GSD is applicable to all forms of software development including: client/server, web and mobile.  So special emphasis on this section should be placed on all assessments you make using the GSD.

 

Within this top level section there are 6 sub-sections:

  • Development environments
  • Secure software design
  • Software bill of materials
  • Secure programming practices
  • Software testing
  • Vulnerability disclosure program
software-development-environments

Development, Testing, and Production Environments

Segregating development, testing, pre-production and production environments into discreet separate workspaces is one of the core security principles of secure software design.  This segmentation can limit accidental issues and malicious attacks from spreading from one environment to another.  Software engineers are limited to dev and testing environments so that bad code or third-party issues can’t be added to production directly.

There are 4 controls in this sub-section that deal with environment segmentation, the scope for development changes, data segregation, and user access.  If you can’t answer yes to all 4 of these please stop what you are doing and go and address this now!

Secure Software Design and Development

This sub-section deals with the identification of software development risk during the design and development stages.  This sub-section has two controls:  One for “secure design principles” and the second for threat modeling.

I feel like this section is under-baked and needs some love.  What are “secure-by-design practices”?  Would have loved this section to be more prescriptive.  Maybe in the future, we can add things like application baselines, secure code training and application ownership labels.

 

threat-modeling
software-development-environments

Software Bill of Materials (SBOM)

This section only has one control and it’s all about SBOM.  SBOM stands for “Software Bill of Materials” and the reason that it’s so important is that it delivers something we never had had before:  a complete “recipe” of what is in an application.  An SBOM is a single source of truth for all software dependencies, frameworks, libraries, resources, and services that went into making a specific software solution.   Most definitions of SBOM agree on the above, but some go further and say that any known vulnerabilities and cloud-based services should also be included in the SBOM.  To me, this makes sense as an SBOM should be both an end-to-end description of the application, but also should list any deficiencies and liabilities.  If one of the components used to build an application has a known vulnerability, it should be codified in the SBOM.

SBOM is a huge topic right now as the US government mandated several important software-related security controls last year.  One of those was the requirement for all companies looking to sell to the US government to provide an SBOM.  This mandate is extended to any company that is part of a software dependency or supply chain even if they themselves don’t wish to sell to the US government.

Unfortunately, SBOM hasn’t delivered on its promise yet as very few organisations are actually creating SBOMs when they build software.  If you want to know more about SBOM please check out our blog post on them here:  https://securestack.com/sbom/

Application testing and maintenance

There are two controls in this section.  The first deals with testing software applications, both internally, as well as externally.   The second talks about software engineers needing to resolve issues found in their applications.  This is an important part of the document and makes no bones about the engineer’s responsibilities.

different-types-security-scan-tools

Even though there are only two controls here the description specifically calls out static analysis (SAST), dynamic analysis (DAST), web vulnerability scanning, and software composition (SCA) requirements.  It also calls out penetration testing and it also mentions “prior to their initial release and following any maintenance activities”.  To me, this sounds like automated tests during continuous integration and deployment (CI/CD). 

So that should really be 6 controls minimum.  I expect this to be fleshed out on the next version of the GSD.

vulnerability-disclosure-program

Vulnerability Disclosure Program

There are actually four controls in this sub-section.  The first three are somewhat redundant switching the terms “policy”, “program” and “processes” which might confuse people.  Luckily the last control is straightforward and requires that orgs use a security.txt file to advertise their VDP information.

I think we can simplify this section in this way:

  • Are security researchers able to come to your website and find how to contact you if they’ve found a security issue?
  • Have you partnered with a platform to allow security researchers to bring security bugs they find to you?
  • Do you have a set of documents that describe your security policies?  And can your employees find it?

 

 

Section 2: Web Application Development

This section of the GSD is applicable to applications available on the web that users interact with primarily via a web browser.  This section should be carefully following if you are building web apps.

 

Within this top level section there are 6 sub-sections:
  • Open Web Application Security Project
  • Web Application Frameworks
  • Web Application Interactions
  • Web Application Input Handling
  • Web Application Output Encoding
  • Web Browser-Based Security Controls
  • Web Application Event Logging
owasp-project-logo

Open Web Application Security Project

The OWASP is an organization that is trying to help encourage application security through its community and projects like Zed Attack Proxy (ZAP) and the purposefully vulnerable Juice Shop project.

This section has only one control and it explicitly states that orgs should be following the Application Security Verification Standard (ASVS) when building web applications.

 

 

While I am personally a fan of the OWASP ASVS I am a little confused about why one security framework, the ISM, is referencing another, the OWASP ASVS?  Isn’t the point of the ISM to be a standalone security framework?  If so, why are we then nesting another framework within the ISM?

Web Application Frameworks

This section has one control and emphasizes the need to use existing “robust” web frameworks.  I think the main point here is to use off-the-shelf components to provide session management, input handling, and cryptographic operations.​

web-application-framework
Web frameworks like Angular, React and Laravel are awesome and save time for development teams.  Unfortunately, sometimes these frameworks come with built-in dependency issues, and the react-scripts npm package is a great example of this as there are hundreds of transitive dependencies in this package.  Many of those transitive dependencies are out of date and insecure, as is often the case with Javascript packages in NPM.   So, we have to make sure that while we are using components that save us time and offer security benefits we aren’t causing ourselves future troubles by using the wrong frameworks.
https-everywhere

Web Application Interactions

This section has one control and it’s pretty specific:  All web application content is offered exclusively using HTTPS.  That sounds pretty straightforward, right?

Unfortunately, enforcing encrypted HTTP traffic is more complicated than many people think and require multiple controls and functions to be aligned.  Engineers need to make sure that HTTP is redirecting to HTTPS, that HSTS is enabled and that SSL/TLS is terminated in a secure environment.

I wrote a blog post about enforcing HTTPS which you can read here: https://securestack.com/enforce-https/

Web application input handling

This section also has one control: Validation or sanitisation is performed on all input handled by web applications.  That sounds relatively straightforward but is fairly difficult to do and requires using multiple controls and functions.

Input validation requires equal parts developer training, testing of the source code, and testing the web application.  That’s 3 different sets of tooling to address to achieve this requirement.

form-validation
url-encoding

Web Application Output Encoding

This section has one control which is:  Output encoding is performed on all output produced by web applications.  This is a necessary requirement as the use of un-encoded data can cause serious issues as special characters can be interpreted incorrectly by the web application.

 

 

Web browser-based security controls

While this section has only one control it speaks to the need to address browser-based attacks like cross-site scripting, CSRF, and click-jacking.   Modern web applications using things like Javascript run entirely in a user’s client-side browser.  Traditional security controls can’t help here and this is why a new generation of controls was born, most of which are delivered as HTTP response headers.  Content Security Policy, or CSP, is the best and most powerful of these but unfortunately, most websites do not use CSP.

content-security-policy
centralized-logging

Web application event logging

The final sub-section has two controls associated with it.  The first says that all access attempts and errors need to be logged.  The second, stipulates that all logs are stored centrally in another location.

Unfortunately, we see less web server and application logging than we used to.  In the era of the public cloud, many engineering teams misinterpret logging functions like AWS’s Cloudwatch and Cloudtrail which log events at the cloud layer, and NOT at the application layer.  To be very clear:  Enabling Cloudwatch and Cloudtrail are NOT effective application logging solutions.

 

 

How do we assess and implement these controls?

Okay, so now that we’ve laid out all 16 controls in the new Guidelines for Secure Development document, where do we go from here?   Well, part of the challenge of this new ISM document is that it spans across the whole software development lifecycle (SDLC).  It talks about things the developer needs to do (local software testing) and it talks about segregating deployment environments.   It talks about things that happen at the beginning of the lifeycycle, and things that happen at the end of the lifecycle.  It talks about how to build your web applications and it talks about how your customers should be protected while using that application in a browser.

Unified ISM compliance coverage for the SDLC?

All of these disparate controls focusing on different parts of the SDLC means that there’s a broad surface area to assess and quantify against.  This is one of the reasons that when we were building SecureStack we intentionally wanted to integrate into the multiple platforms our customers use.  Unified coverage for the SDLC means integrating into source code management providers like GitHub, Bitbucket, and Gitlab,  It also means integrating into the continuous integration and deployment and build platforms.  And it definitely means integrating into the public cloud providers like AWS, Azure and GCP.  But finally, it also means that you need to have continuous awareness of the web application at the heart of this as well.

content-security-policy

How can SecureStack help you assess your ISM compliance?

The SecureStack platform can help you assess and quantify your ISM GSD compliance with our SaaS platform.  We help you integrate your source code platform, CI/CD processes, build environments and your public cloud providers, and we do it all in less than 5 minutes.

Thanks right!  You can see assess your entire software development lifecycle in less than 5 minutes with SecureStack.  Check out the video to the left to see how!

 

If you like what you see, book a demo!

 

Paul McCarty

Founder of SecureStack

DevSecOps evangelist, entrepreneur, father of 3 and snowboarder

Forbes Top 20 Cyber Startups to Watch in 2021!

 

Automate responses to security questionnaires!

Automate responses to security questionnaires!

Are you sick of filling out security questionnaires to meet some compliance or audit objectives?  Most of the software engineers we talk to that have to fill these pesky forms out hate the process.  Many of them say to us that they really want something that could automate responses to security questionnaires.

I had to fill out my first security questionnaire back in 2002. The questionnaire came in the form of a large Excel spreadsheet and I remember looking at it and thinking at the time, “Man, that’s a LOT of questions!!” I wondered how they would know if I was telling the truth or not? I could just put anything down and how would they know if I was being honest? Would they come onsite and audit us?

Fast forward to 2022. We still use spreadsheets for our security questionnaires. They pretty much ask the same questions they did 20 years ago, and they are still being used by the same people. It is a hallmark of #infosec that you get told to fill out the questionnaire and it’s just something we all do.

Here’s the thing:  Security questionnaires aren’t that good at determining risk

  • Security questionnaires are lengthy and take a long time to fill out. The industry doesn’t trust them very much but continues to use them for lack of anything better. Only 14% of organizations surveyed said they are highly confident that security questionnaires represent true security profiles.
  • Finding the right people to talk to and getting responses from them is a real challenge.  This is especially true if you are trying to ascertain compliance around software development processes and you need to talk to software engineers.  Engineers are busy delivering software and often actively hostile to the audit or compliance processes.  Software engineers will sometimes not respond to queries which leaves the party responsible for collecting the data in a lurch.
  • Questionnaires are usually not very accurate. The person filling it out usually doesn’t have the answers and often makes up answers or guesses, neither of which help. When asked, most risk professionals admit they have very little confidence in security questionnaires.
  • Security questionnaires are a single point-in-time snapshot. Even if somehow, the original data captured in the questionnaire was accurate, they don’t get updated which means that you can’t really trust them for very long.
developer-logo

Developers are usually not aligned with security or compliance objectives

As mentioned above, security questionnaires aren’t great at determining risk in normal circumstances, but it’s even harder when you are trying to audit your software development processes.  Gathering data from software engineers can be really tough.  They are often resistant, and sometimes downright hostile to the idea that their development processes need to meet some compliance requirements.

Software engineers’ metric of success is not usually security or compliance-related.  Instead, it’s how fast they can deliver new features.  So, this explains in part why developers are often so against security teams asking them questions about their security protocols.  

,

How do you audit the CI/CD process?

Auditing the CI/CD processes to identify whether there are security or compliance gaps can be difficult.  Often, even gaining the right access can be a problem.  Engineering teams are often the ones with administrative access to the source code management (SCM) and CI/CD platforms, so getting them to provide access can be challenging.

Wouldn’t it be better if we could somehow automate the responses to these security questionnaires?

github default is public

SecureStack automates responses to security questionnaires which saves your team time and money!

 

If you like what you see, book a demo!

 

Paul McCarty

Founder of SecureStack

DevSecOps evangelist, entrepreneur, father of 3 and snowboarder

Forbes Top 20 Cyber Startups to Watch in 2021!

 

The DevSecOps Playbook

The DevSecOps Playbook

The DevSecOps Playbook

SecureStack is committed to open-source projects, that’s the reason we recently open-sourced the “DevSecOps Playbook”.  This playbook, originally written by our CEO Paul McCarty, was an internal automation document that explained how to secure application environments.  Now, after a bit of a re-work, it’s a comprehensive step-by-step guide to implementing a DevSecOps practice for any organization.  So, we thought, why not share this with the world?!

Check out the GitHub project here: https://github.com/6mile/DevSecOps-Playbook

devsecops-playbook-infinite-loop

How to use this free open-source Playbook

The Playbook is 50 individual tasks that you can follow to help make your application environments materially better.  Each task has a Priority, which tells you what you should do first, as well as a Difficulty which tells you how hard that task is.  So your teams can start with all the priority 1 tasks and once they’ve crossed all those off the list, they can start with the priority 2 tasks.  It’s really that simple.

If you like the playbook, feel free to star it on GitHub, or fork it for internal use.  If you see something that needs adjusting or if the Playbook is missing something, please create a PR!  We want the Playbook to be a community document!  You can check out our community stargazers here.

If you have a compliance or audit requirement that you need to address, check out the last column in each controls row.  You will see there any mappings that our community has associated with that particular control.  Most tasks have been mapped to at least two frameworks, such as ISO27001, ISO27002, SOC2, CIS, APRA, NIST 800, Australian ISM/Essential 8, or PCI-DSS.

compliance-frameworks-thin

Accelerate your DevSecOps success with SecureStack

Because the Playbook started out as an internal piece of automation, it’s built right into the heart and soul of our solution.  The SecureStack platform will check your applications for all the controls listed on the DevSecOps Playbook and report back if it finds any missing.  Even better, our platform will help you understand how to address any gaps we find with our visibility and automation platform.   We give you real-time continuous compliance reporting on your applications, so you can meet ISO27001, ISO27002, SOC2, CIS, NIST 800, NIST SSDF, Australian ISM, or APRA requirements.  If you have a security questionnaire you need to fill out or are going through an audit and you’re being asked about how secure your software development processes are, then please reach out to us!

If you like what you see, book a demo!

 

Paul McCarty

Founder of SecureStack

DevSecOps evangelist, entrepreneur, father of 3 and snowboarder

Forbes Top 20 Cyber Startups to Watch in 2021!